From 81a9d9e5de91a515766d79a4e0a13d9f89cbfaf4 Mon Sep 17 00:00:00 2001 From: Andrew Smith Date: Thu, 30 Jan 2025 17:13:52 +0000 Subject: [PATCH] fix: sign_out not clearing session when exception raised (#665) --- supabase_auth/_async/gotrue_client.py | 14 ++++++-------- supabase_auth/_sync/gotrue_client.py | 14 ++++++-------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/supabase_auth/_async/gotrue_client.py b/supabase_auth/_async/gotrue_client.py index feb005f8..eb790e55 100644 --- a/supabase_auth/_async/gotrue_client.py +++ b/supabase_auth/_async/gotrue_client.py @@ -721,12 +721,10 @@ async def refresh_session( async def sign_out(self, options: SignOutOptions = {"scope": "global"}) -> None: """ - Inside a browser context, `sign_out` will remove the logged in user from the - browser session and log them out - removing all items from localstorage and - then trigger a `"SIGNED_OUT"` event. + `sign_out` will remove the logged in user from the + current session and log them out - removing all items from storage and then trigger a `"SIGNED_OUT"` event. - For server-side management, you can revoke all refresh tokens for a user by - passing a user's JWT through to `api.sign_out`. + For advanced use cases, you can revoke all refresh tokens for a user by passing a user's JWT through to `admin.sign_out`. There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason. @@ -737,9 +735,9 @@ async def sign_out(self, options: SignOutOptions = {"scope": "global"}) -> None: if access_token: await self.admin.sign_out(access_token, options["scope"]) - if options["scope"] != "others": - await self._remove_session() - self._notify_all_subscribers("SIGNED_OUT", None) + if options["scope"] != "others": + await self._remove_session() + self._notify_all_subscribers("SIGNED_OUT", None) def on_auth_state_change( self, diff --git a/supabase_auth/_sync/gotrue_client.py b/supabase_auth/_sync/gotrue_client.py index 80d648c5..4fe70bcd 100644 --- a/supabase_auth/_sync/gotrue_client.py +++ b/supabase_auth/_sync/gotrue_client.py @@ -717,12 +717,10 @@ def refresh_session(self, refresh_token: Optional[str] = None) -> AuthResponse: def sign_out(self, options: SignOutOptions = {"scope": "global"}) -> None: """ - Inside a browser context, `sign_out` will remove the logged in user from the - browser session and log them out - removing all items from localstorage and - then trigger a `"SIGNED_OUT"` event. + `sign_out` will remove the logged in user from the + current session and log them out - removing all items from storage and then trigger a `"SIGNED_OUT"` event. - For server-side management, you can revoke all refresh tokens for a user by - passing a user's JWT through to `api.sign_out`. + For advanced use cases, you can revoke all refresh tokens for a user by passing a user's JWT through to `admin.sign_out`. There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason. @@ -733,9 +731,9 @@ def sign_out(self, options: SignOutOptions = {"scope": "global"}) -> None: if access_token: self.admin.sign_out(access_token, options["scope"]) - if options["scope"] != "others": - self._remove_session() - self._notify_all_subscribers("SIGNED_OUT", None) + if options["scope"] != "others": + self._remove_session() + self._notify_all_subscribers("SIGNED_OUT", None) def on_auth_state_change( self,